- Added support for "dyndb", a new API for loading zone data
from an external database, developed by Red Hat for the FreeIPA
project.
- - New "fetchlimit" quotas are now available for the use of
- recursive resolvers that are are under high query load for
- domains whose authoritative servers are nonresponsive or are
- experiencing a denial of service attack:
+ - "fetchlimit" quotas are now compiled in by default. These
+ are for the use of recursive resolvers that are are under
+ high query load for domains whose authoritative servers are
+ nonresponsive or are experiencing a denial of service attack:
+ "fetches-per-server" limits the number of simultaneous queries
that can be sent to any single authoritative server. The
configured value is a starting point; it is automatically
</listitem>
<listitem>
<para>
- New quotas have been added to limit the queries that are
- sent by recursive resolvers to authoritative servers
- experiencing denial-of-service attacks. When configured,
- these options can both reduce the harm done to authoritative
+ Fetch quotas are now compiled in by default: they
+ no longer require BIND to be configured with
+ <command>--enable-fetchlimit</command>, as was the case
+ when the feature was introduced in BIND 9.10.3.
+ </para>
+ <para>
+ These quotas limit the queries that are sent by recursive
+ resolvers to authoritative servers experiencing denial-of-service
+ attacks. They can both reduce the harm done to authoritative
servers and also avoid the resource exhaustion that can be
experienced by recursive servers when they are being used as a
vehicle for such an attack.
recursive lookup returns NXDOMAIN, a second lookup is
initiated with the specified name appended to the query
name. This allows NXDOMAIN redirection data to be supplied
- by multiple zones configured on the server or by recursive
+ by multiple zones configured on the server, or by recursive
queries to other servers. (The older method, using
a single <command>type redirect</command> zone, has
better average performance but is less flexible.) [RT #37989]
[RT #39047]
</para>
</listitem>
- <listitem>
- <para>
- A alternative NXDOMAIN redirect method (nxdomain-redirect)
- which allows the redirect information to be looked up from
- a namespace on the Internet rather than requiring a zone
- to be configured on the server is now available.
- </para>
- </listitem>
<listitem>
<para>
Retrieving the local port range from net.ipv4.ip_local_port_range
<listitem>
<para>
The default preferred glue is now the address type of the
- transport the query was received over.
+ transport the query was received over.
</para>
</listitem>
<listitem>
does the same but only when answering recursive queries.
</para>
</listitem>
- </itemizedlist>
- </section>
-
- <section xml:id="relnotes_port"><info><title>Porting Changes</title></info>
- <itemizedlist>
<listitem>
<para>
- None.
+ At server startup time, the queues for processing
+ notify and zone refresh queries are now processed in
+ LIFO rather than FIFO order, to speed up
+ loading of newly added zones. [RT #42825]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ When answering queries of type MX or SRV, TLSA records for
+ the target name are now included in the additional section
+ to speed up DANE processing. [RT #42894]
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <command>named</command> can now use the TCP Fast Open
+ mechanism on the server side, if supported by the
+ local operating system. [RT #42866]
</para>
</listitem>
</itemizedlist>
projects / thirdparty / bind9.git / commitdiff
